Configure SSL for External HTTP Traffic to and from Tableau Server
You can configure Tableau Server to use Secure Sockets Layer (SSL) encrypted communications on all external HTTP traffic. Setting up SSL ensures that access to Tableau Server is secure and that sensitive information passed between the server and Tableau clients—such as Tableau Desktop, Tableau Mobile, the REST API, and so on—is protected. Steps on how to configure the server for SSL are described this topic; however, you must first acquire a certificate from a trusted authority, and then import the certificate files into Tableau Server.
In this article
Acquire an Apache SSL certificate from a trusted authority (for example, Verisign, Thawte, Comodo, GoDaddy). You can also use an internal certificate issued by your company. Wildcard certificates, which allow you to use SSL with many host names within the same domain, are also supported.
When you acquire an SSL certificate for external communication to and from Tableau Server, follow these guidelines and requirements:
If your organization issues certificates with a local PKI, or if you are using certificates that are not issued by a trusted certificate authority, you’ll need a certificate authority (CA) certificate file to identify the trusted CA.
The CA certificate file must be a valid PEM-encoded X509 certificate with the extension
.crt. If you have multiple trusted certificate authorities, you can copy and paste the entire contents of each CA certificate, including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines, into a new file, and then save the file as
Use a SHA-2 (256 or 512 bit) SSL certificate. Most browsers no longer connect to a server that presents an SHA-1 certificate.
In addition to the certificate file, you must also acquire a corresponding SSL certificate key file. The key file must be a valid RSA or DSA private key file (with the extension
You can choose to passphrase-protect the key file. The passphrase you enter during configuration will be encrypted while at rest. However, if you want to use the same certificate for SSL and SAML, you must use a key file that is not passphrase protected.
A certificate chain file is required for Tableau Desktop on the Mac. In some cases, a certificate chain file may be required for Tableau Mobile. For example, if you are using a self-singed certificate or if you are generating certificates with an internal certificate authority, then you may need a certificate chain for Tableau Mobile. The chain file is a concatenation of all of the certificates that form the certificate chain for the server certificate. All certificates in the file must be x509 PEM-encoded and the file must have a
For multiple host names or sub-domains, Tableau Server supports wildcard certificates.
Note: If you plan to configure Tableau Server for single-sign on using SAML, see About the certificate and key files in the SAML requirements to help determine whether to use the same certificate files for both SSL and SAML.
You can configure a Tableau Server cluster to use SSL. If the initial node is the only one running the gateway process (which it does by default), you need to configure SSL only on that node, using the steps described in this topic.
SSL with multiple gateways
A highly available Tableau Server cluster can include multiple gateways, fronted by a load balancer. If you are configuring this type of cluster for SSL, you have the following choices:
Configure the load balancer for SSL: Traffic is encrypted from the client web browsers to the load balancer. Traffic from the load balancer to the Tableau Server gateway processes is not encrypted. No SSL configuration in Tableau Server is required by you. It’s all handled by the load balancer.
Configure Tableau Server for SSL: Traffic is encrypted from the client web browsers to the load balancer, and from the load balancer to the Tableau Server gateway processes. For more information, continue to the following section.
Additional configuration information for Tableau Server cluster environments
When you want to use SSL on all Tableau Server nodes that run a gateway process, you complete the following steps.
Configure the external load balancer for SSL passthrough.
Or if you want to use a port other than 443, you can configure the external load balancer to terminate the non-standard port from the client. In this scenario, you would then configure the load balancer to connect to Tableau Server over port 443. For assistance, refer to the documentation provided for the load balancer.
Make sure the SSL certificate is issued for the load balancer’s host name.
Configure the initial Tableau Server node for SSL.
Place the same SSL certificate and key file that you used for the initial node on each subsequent Tableau Server node that runs a gateway process. Use the same folder location on all computers.
If you are using mutual SSL, place the SSL CA certificate file in the same location on all computers that run a gateway process.
You do not need to do any additional configuration on the subsequent nodes.
Say you have a cluster that includes an initial Tableau Server node and three additional nodes, with gateway processes running on the initial, node2 and node3. In this situation, you configure the initial Tableau Server for SSL, and then copy the same SSL certificate and key files to node2 and node3, to the same location as on the initial node.
Place the certificate files in a folder named SSL, parallel to the Tableau Server 2018.2 folder. For example:
C:\Program Files\Tableau\Tableau Server\SSL
This location gives the account that's running Tableau Server the necessary permissions for the files. You may need to create this folder.
Use the method you’re most comfortable with.
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
On the Configuration tab, select Security > External SSL.
Under External web server SSL, select Enable SSL for server communication.
Upload the certificate and key files, and if required for your environment, upload the chain file and enter the passphrase key:
Click Save Pending Changes.
Click Apply Changes and Restart.
After you have copied the certificate files to the local computer, run the following commands:
tsm security external-ssl enable --cert-file <path-to-file.crt> --key-file <path-to-file.key>
tsm pending-changes apply
See the command reference at tsm security external-ssl enable to determine whether you want to include additional options for
external-ssl enable. Tableau has specific recommendations for the
external-ssl enable command imports the information from the .crt and .key files. If you run this command on a node in a Tableau Server cluster, it also distributes the information to any other gateway node.
pending-changes apply command displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-prompt option, but this does not change the restart behavior. For more information, see tsm pending-changes apply.
After the server has been configured for SSL, it accepts requests to the non-SSL port (default is port 80) and automatically redirects to the SSL port 443.
Note: Tableau Server supports only port 443 as the secure port. It cannot run on a computer where another application is using port 443.
SSL errors are logged in the at the following location. Use this log to troubleshoot validation and encryption issues: